Elevated CISO would strengthen HHS cybersecurity — panel
Elevating the Department of Health and Human Services’ chief information security officer to an equal of the CIO would eliminate an institutional conflict blamed for a series of department data breaches in recent years, a panel of nongovernment health IT experts said.
“A CIO is typically concerned about availability and uptime of IT, as opposed to privacy or sensitive information,” Josh Corman, director of the Cyber Statecraft Initiative at the Atlantic Council and self-described “staunch advocate of the CISO role,” said before the House Energy and Commerce Committee’ Subcommittee on Health Wednesday.
No officials from HHS were present at the hearing, although lawmakers promised to consult with the department.
The full committee introduced a bill in April that would elevate HHS’ CISO to a presidentially appointed position no longer subordinate to the CIO. The bill came as the result of the committee’s December 2013 investigation into HHS cybersecurity, particularly at the Food and Drug Administration, which had faced a breach of its internal network months earlier.
[Read more: House bill would elevate HHS CISO from CIO’s purview]
That investigation revealed several other breaches across HHS agencies. It found that all of them were due in some part to an organizational structure that sacrificed security for operational efficiency.
Several of the panelists had experience, both in and out of government, with this sort of conflict between CIO and CISO.
Corman said it’s pretty much the job and a requirement of security teams to “interrupt uptime” of systems — to “do security assessments or do healthy security patching.”
That can cause a tension between the CIO and CISO, and because of the hierarchy, “it usually leads to the CIO winning,” he said.
Many times, breaches stem from very minor vulnerabilities that could have easily been corrected but are left alone for months or years, the panelists said.
Often with breaches, “there was a fix, there was a patch that somebody could have applied, there was a configuration somebody could have made, there was a port somebody could have closed, there was a policy somebody could have pushed out, and those things weren’t done,” said Mac McMillan, CEO of CynergisTek Inc and a former Defense Department information security official.
“They put off the ‘blocking and tackling’ … because they’re too operationally focused on the number of projects they have.”
He added, “Then somebody says, ‘Oh by the way, you have to do this patching and fixing and hardening and all of these other things that take care of systems day in and day out.’ And unfortunately what happens is the pressure is on them so intensely to roll systems out, to roll services out, to roll productivity out, that unfortunately it does create conflicts, they do make choices, and sometimes those choices are not the best ones from a security perspective.”
Because of the particularly sensitive information that HHS and other entities within the health care infrastructure hold, the significance of information security in those organizations is much greater, panelists argued.
“For health care providers, a significant security incident or breach may lead to a disruption in patient care,” said Samantha Burch, senior director of congressional affairs for the Healthcare Information and Management Systems Society in North America. “As such, it is clear that health care organizations need a cybersecurity leader to manage, as well as mitigate, security risks.”
But this problem isn’t unique to HHS, the panelists said; and if elevating the CISO is passed into law and at all successful, it could be used as a model for other agencies.
“There’s a tremendous value in experimentation, and I really applaud the spirit of this bill to try an alternative reporting structure in one agency, and if successful it could be replicated across other agencies,” Corman said.
Some subcommittee members were concerned by the absence of HHS representatives.
“I’m disappointed we couldn’t ensure that HHS had an opportunity to be here today to express their own views,” said Frank Pallone, D-N.J. “HHS should be able to testify to whether this organizational chance makes sense from their perspective and if could potentially exacerbate the problem it’s trying to solve.”
Pallone said HHS couldn’t attend because “the majority rushed this hearing.”
Chairman Joe Pitts, R-Pa., said the subcommittee will be consulting with HHS.
Contact the reporter on this story via email at Billy.Mitchell@FedScoop.com or follow him on Twitter @BillyMitchell89. Subscribe to the Daily Scoop to get all the federal IT news you need in your inbox every morning at fdscp.com/sign-me-on.